mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-12-24 14:06:47 +01:00
Better goals description.
This commit is contained in:
parent
356f466c53
commit
a2dc24f61d
1 changed files with 21 additions and 16 deletions
37
README.md
37
README.md
|
@ -1,30 +1,23 @@
|
|||
[<img src="https://gitlab.com/uploads/-/system/project/avatar/25600351/logo.png" align="right" height="110"/>][project]
|
||||
|
||||
# apparmor.d
|
||||
# apparmor.d [![][build]][project]
|
||||
|
||||
[![][build]][project]
|
||||
|
||||
**Full set of apparmor profiles**
|
||||
**Full set of AppArmor profiles**
|
||||
|
||||
> Warning: This project is still in early development.
|
||||
|
||||
|
||||
## Description
|
||||
|
||||
A set of over 800 apparmor profiles which aims is to confine most of Linux base
|
||||
applications and processes.
|
||||
A set of over 800 AppArmor profiles which aims is to confine most of Linux base applications and processes.
|
||||
|
||||
**Goals & Purpose**
|
||||
- All distribution that support Apparmor (currenlty Archlinux and Debian),
|
||||
- Support all distribution that support AppArmor (currenlty Archlinux and Debian),
|
||||
- Target both desktop and server,
|
||||
- Confine all root services (bluetooth, dbus, polkit, networkmanager...),
|
||||
- Confine all root processes (bluetooth, dbus, polkit, networkmanager, systemd...),
|
||||
- Confine all Desktop environments (currently only Gnome),
|
||||
- Fully tested (Work in progress),
|
||||
- Should not break a normal usage of the confined software.
|
||||
|
||||
These profiles strive to be fully functional with zero audit log warnings under
|
||||
proper behavior. Functionality is not ignored. If functionality is not
|
||||
explicitly blocked, then it's probably a bug in the profile and should be fixed.
|
||||
- Fully tested (Work in progress),
|
||||
|
||||
**Note:** This work is part of a bigger linux security project.
|
||||
|
||||
|
@ -32,6 +25,15 @@ explicitly blocked, then it's probably a bug in the profile and should be fixed.
|
|||
to extend it to more Linux distributions and desktop environements.
|
||||
|
||||
|
||||
## Concepts
|
||||
|
||||
There are over 50000 Linux packages and even more applications. It is simply not possible to write an AppArmor profile for all of them. Therefore a question arises: *What to confine and why?*
|
||||
|
||||
We take inspiration from the [Android/ChromeOS Security Model][android_model] and we apply it to the Linux world. Modern [linux security implementation][clipos] usually consider a core base image with a carefully set of selected applications. Everything else should be sandboxed. Therefore, this project tries to confine all the *core* applications you will usually find in a Linux system: all systemd services, xwayland, network, bluetooth, your desktop environment... Non-core user applications are out of scope as they should be sandboxed using a dedicated tool (minijail, bubblewrap...).
|
||||
|
||||
This is fundamentally different from how AppArmor is used on Linux server as it is common to only confine the applications that face the internet and/or the users.
|
||||
|
||||
|
||||
## Tests
|
||||
|
||||
A full test suite to ensure compatibility across distributions and softwares is
|
||||
|
@ -42,7 +44,8 @@ still a work in progress.
|
|||
**Requirements**
|
||||
* An `apparmor` based linux distribution.
|
||||
* A `systemd` based linux distribution.
|
||||
* Base profiles and abstraction shipped with apparmor are supposed to be installed.
|
||||
* Base profiles and abstractions shipped with AppArmor are supposed to be
|
||||
installed.
|
||||
|
||||
**Archlinux**
|
||||
|
||||
|
@ -65,8 +68,7 @@ Feedbacks, contributors, pull requests, are all very welcome.
|
|||
|
||||
## License
|
||||
|
||||
This program is based on Mikhail Morfikov's [apparmor profiles project][upstream]
|
||||
and thus has the same license (GPL2).
|
||||
This program is based on Mikhail Morfikov's [apparmor profiles project][upstream] and thus has the same license (GPL2).
|
||||
|
||||
```
|
||||
Copyright (C) Alexandre PUJOL & Mikhail Morfikov
|
||||
|
@ -88,3 +90,6 @@ with this program; if not, write to the Free Software Foundation, Inc.,
|
|||
[upstream]: https://gitlab.com/morfikov/apparmemall
|
||||
[project]: https://gitlab.com/roddhjav/apparmor.d
|
||||
[build]: https://gitlab.com/roddhjav/apparmor.d/badges/master/pipeline.svg?style=flat-square
|
||||
|
||||
[android_model]: https://arxiv.org/pdf/1904.05572
|
||||
[clipos]: https://clip-os.org/en/
|
||||
|
|
Loading…
Reference in a new issue